At a security conference yesterday in Vancouver, a hacker exploited a security hole in Microsoft’s new Internet Explorer 8 in under two hours, taking control of a Sony laptop running an internal build of Windows 7. IE8 was launched earlier in the day amidst claims of superior security from Microsoft.

At a security conference yesterday in Vancouver, a hacker exploited a security hole in Microsoft’s new Internet Explorer 8 in under two hours, taking control of a Sony laptop running an internal build of Windows 7. IE8 was launched earlier in the day amidst claims of superior security from Microsoft.

advertisement

The hacker, a 25-year-old German researcher going by the handle “Nils,” won $5,000 and the Sony laptop on which he performed the hack in the annual contest PWN2OWN, that invites hackers to worm their way into popular browsers and operating systems for prize money.

In a recent security audit by a third-party firm, IE8 was substantially more effective at intercepting malware than Safari, Firefox, and the previous version of Internet Explorer. Immediately after completing his hack, “Nils” signed a non-disclosure agreement and exposed the flaw to Microsoft engineers. The researcher also found and exploited flaws in Safari and Firefox, so IE8 was no worse off than its peers. Engineers from each of the companies will develop patches to ameliorate the flaws that PWN2OWN hackers find.

(The second day of the PWN2OWN contest focuses on hacking mobile platforms; no winner prevailed. Today’s contest will focus on Google’s Chrome browser and the continuation of the mobile platform hack.)

Microsoft can still gloat over IE8’s greatly-improved security, despite the PWN2OWN breach–after all, no piece of software is perfect–but slowness still dogs the new browser. Of the top five browsers, IE 8 came in dead last in a JavaScript speed test run by Computerworld.com, and by no small margin: Chrome was four times faster in the test, the latest version of Firefox proved 59% faster, and Safari 47% faster. The question is: how much slowness will a user live with to be slightly more secure? For a browser to be less than half as fast as its competitors and gain fans, wouldn’t it have to be nearly perfect?

Microsoft has tried to take the emphasis off JavaScript speed tests in its press statements, opting to cite tests in which the top browsers race to load one of the Web’s top 25 most visited pages. In these tests, Microsoft claims IE8 loads 12 of those pages faster than either Chrome or Firefox, though it has refused to test against Apple’s Safari, that it says doesn’t have adequate marketshare to bear inclusion in the test. Redmond defends its tests by saying that JavaScript speed tests don’t represent an accurate array of a browser’s uses. The company has also taken pains to emphasize that IE8 is the fastest version of Internet Explorer ever released.

Only Microsoft could fall back on a claim like the latter–with Internet Explorer boasting a 72% marketshare, according to a Janco Associates survey, the browser’s improvements are necessarily important to three-quarters of the Web surfers on earth. But while its security cred will gain it plenty of mileage against its upstart competitors, IE8’s slowness might cause it to lose favor amongst capricious Internet users who can fire up any browser for free. After all, feeling the added protection of a better browser can wear off quickly as one waits for the homepage to putter along and load. By focusing on security out of necessity, Microsoft may have lost valuable ground in the speed races that grab users’ attention. That might end up making IE8 the losingest Internet Exploer yet, despite its vast improvements.